Category Archives: Security

CelebGate: a Long, Dangerous List of Celebrities

During the past few days, the media has been abuzz with the massive celebrity photo leak nicknamed The Fappening or Celebgate 2014. The story started on August 31 when the first nude pictures appeared on a 4chan board. An impressive list of victims has been posted.
FP_BLOG_140903_01
Fake or true, today almost 450 pictures and videos are circulating on 4chan, Reddit, or Imgur in connection with this story. A Google search for “The Fappening 2014″ returns more than 1.4 million URLs. While some netsurfers work at posting them, website administrators work at deleting them.

The forums are inflamed, and dedicated websites are popping up to expose these photos.
FP_BLOG_140903_02
Archives are offered to download:
FP_BLOG_140903_03
And of course, malicious software is never far from such stories. Searching for these real or fake pictures is a dangerous sport. Behind the URLs you can discover via Google or dedicated forums, most of these paths are dangerous. Your chance of landing on a page that tests positive for spam, adware, spyware, viruses, or other malware is almost a sure thing.

My first two attempts infected my test computer.
FP_BLOG_140903_04
After I disabled my antivirus for 10 minutes to easily browse, I was (not) surprised to detect 10 or more new infections (in the following case several Trojans).
FP_BLOG_140903_05
In 2013, McAfee published a list of the 10 most dangerous celebrities. Today we appear to have a Top 100!

You should always be extra cautious when searching hot topics, which often lead to unwanted programs offered by unscrupulous companies or to malicious sites created by cybercriminals.

The post CelebGate: a Long, Dangerous List of Celebrities appeared first on McAfee.

BurpSentintel – Vulnerability Scanning Plugin For Burp Proxy

BurpSentintel is a plugin for Burp Intercepting Proxy, to aid and ease the identification of vulnerabilities in web applications. Searching for vulnerabilities in web applications can be a tedious task. Most of the time consists of inserting magic chars into parameters, and looking for suspicious output. Sentinel tries to automate parts of this...

Read the full post at darknet.org.uk

Home Depot investigates potential hacking of credit card data

Home Depot may be the latest victim of retail hackings of customer debit and credit card information.

The suspected breach, first reported on Tuesday by journalist and security researcher Brian Krebs, may involve all 2,200 US stores and has some of the hallmarks of the group that compromised Target, Sally Beauty, and P.F. Chang's, according to Krebs. Home Depot is currently looking into the fraud anomalies and promised to notify customers as soon as it has evidence of a breach.

"At this point, I can confirm that we’re looking into some unusual activity and we are working with our banking partners and law enforcement to investigate," Home Depot spokesman Paula Drake said in a statement to Ars. "Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers."

Read 4 remaining paragraphs | Comments

Apple confirms celebrities’ accounts breached in “highly targeted” attack

An Apple spokesperson has issued a statement on the company’s investigation of the hacking of female celebrities’ cloud accounts and the theft of photos from their accounts. And Apple is, in essence, blaming the victims. Or at least, their security questions and passwords.

“We wanted to provide an update to our investigation into the theft of photos of certain celebrities,” the statement reads. “When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us."

Initial reports from security sources suggested that an exploit of a weakness in Apple's "Find My iPhone" API that allowed a brute force password attack. Apple has discounted those reports, and it blames the success of the attacker on what amounts to social engineering of the accounts—by trying to use personal data to guess passwords or answers to security questions for the accounts in question. "After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords, and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”

Read 1 remaining paragraphs | Comments

Update: FBI, Apple investigating celebrity photo hacks

A spokesperson for Apple confirmed that the company is investigating whether an alleged vulnerability in the company’s “Find My iPhone” service and other possible vulnerabilities in its iCloud cloud storage service for Apple devices were used in the hacking of the personal photos of a number of celebrities. The FBI is also investigating whether the accounts of the celebrities were hacked.

Some of the photos, which were leaked through the “/b/” discussion forum on 4chan over the weekend, were apparently taken from iPhones—though it remains unclear when the hacking took place, or even if the same attackers are responsible for all of the leaked images.

“We take user privacy very seriously and are actively investigating this report,” said Apple spokeswoman Nat Kerris in a statement sent to the Wall Street Journal.

Read 5 remaining paragraphs | Comments

What Jennifer Lawrence can teach you about cloud security

By now, you have probably heard about the digital exposure, so to speak, of nude photos of as many as 100 celebrities, taken from their Apple iCloud backups and posted to the “b” forum on 4Chan. Over the last day, an alleged perpetrator has been exposed by redditors, although the man has declared his innocence. The mainstream media have leapt on the story and have gotten reactions from affected celebrities including Oscar winner Jennifer Lawrence and model Kate Upton.

Someone claiming to be the individual responsible for the breach has used 4Chan to offer explicit videos from Lawrence’s phone, as well as more than 60 nude “selfies” of the actress. In fact, it seems multiple "b-tards" claimed they had access to the images, with one providing a Hotmail address associated with a PayPal account, and another seeking contributions to a Bitcoin wallet. Word of the images launched a cascade of Google searches and set Twitter trending. As a result, 4Chan/b—the birthplace of Anonymous—has opened its characteristically hostile arms to a wave of curious onlookers hoping to catch a glimpse of their favorite starlets’ naked bodies. Happy Labor Day!

This breach is different from other recent celebrity "hacks" in that it used a near-zero-day vulnerability in an Apple cloud interface. Instead of using social engineering or some low-tech research to gain control of the victims' cloud accounts, the attacker basically bashed in the front door—and Apple didn't find out until the attack was over. While an unusual, long, convoluted password may have prevented the attack from being successful, the only real defense against this assault was never to put photos in Apple's cloud in the first place. Even Apple's two-factor authentication would not have helped.

Read 10 remaining paragraphs | Comments

Copyright © 2014. Powered by WordPress & Romangie Theme.